Which of the following statements describes field aliases?
Which of the following statements describes field aliases?
Field aliases normalize data across different sources and sourcetypes, ensuring consistency in field names regardless of the original field name in the data. This normalization process helps in standardizing and unifying the data for easier searching and reporting.
Field aliases can be used in lookup file definitions B
Yes it's B See p187 in F2
B - P187
B is the correct answer
Pg 181 in Splunk Fundamental 2
Cannot be C as it says (only) answer is B lookups
Well, even though in the PDF says that "Can apply field aliases to lookups" in page 181, in here [1] says "Splunk software applies field aliases to a search after it performs key-value field extraction, but before it processes calculated fields, lookups, event types, and tags. This means that you can create aliases for fields that are extracted at index time or search time, but you cannot create aliases for calculated fields, event types, tags, or fields that are added to your events by a lookup." [1] https://docs.splunk.com/Documentation/Splunk/8.1.0/Knowledge/Addaliasestofields
So, I go for C in this case, as it makes more sense to me for the order of execution of the operations, first aliases then lookups. https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence
C is not correct because it say ONLY source and sourcetype, while it is host, source or sourcetype. p181
Yes your statement is absolutely correct. But take a moment to think on it. That says that you can create Lookups based on Aliases because Aliases are created first at searchtime. But you cannot Create aliases out of results of a lookup what is meant in "fields that are added to your events by a lookup" . So answer is B.